TroubleShooting en DFS (dfsdiag)

DFS is a complex service that involves many processes and interactions between clients, root servers, and domain controllers.

Steps

  1. When a DFS client accesses a namespace, the client always chooses the first target in the target list in the referral.
  2. If the first target is available, a session setup is performed and client credentials are passed to the server, unless a prior connection already exists with the selected target.
  3. If the selected target cannot be accessed, the client attempts to access the next target in the list, and so on, until all targets are exhausted. If all targets are unavailable, then the client cannot access that portion of the DFS namespace.

     

  • Netbios protocol is used \\domaindfsroot\rootname   (but it possible to use DNS only) : WINS is the best option
  • Domain controllers (hosting the domain-based DFS) must be reachable using RPC

 

Comando DFSUTIL

  • dfsutil /root:\\<Domain>\<Namespace Root> /view >.\dfsutil_view.txt

 

Comando DFSDIAG

 

/TestDCs : Checks domain controller configuration

  • dfsdiag /testdcs >.\dfsdiag_testdcs.txt

 

/TestDFSIntegrity: Checks DFS Namespace integrity.

  • dfsdiag.exe /testdfsintegrity /dfsroot:\\<Domain>\<Namespace Root> /recurse /full >.\dfsdiag_testdfsintegrity.txt

 

 

/TestDFSConfig: Checks DFS Namespace configuration.

  • dfsdiag /testDFSConfig /DFSROOT:\\domain\<namespace>

 

 

/TestReferral: Checks referral responses.

  • dfsdiag /testreferral /dfspath:\\<Domain>\<Namespace Root> /full >.\dfsdiag_testreferral.txt

 

 

Ports required:

SERVICE NAME

RELEVANT COMPUTERS

UDP

TCP

NetBIOS Name Service

  • Domain controllers;
  • root servers that are not domain controllers;
  • servers acting as link targets;
  • client computers acting as link targets

137

137

NetBIOS Datagram Service

  • Domain controllers;
  • root servers that are not domain controllers;
  • servers acting as link targets;
  • client computers acting as link targets

138

 

NetBIOS Session Service

  • Domain controllers;
  • root servers that are not domain controllers;
  • servers acting as link targets;
  • client computers acting as link targets
 

139

LDAP Server

Domain controllers

389

389

Remote Procedure Call (RPC) endpoint mapper

Domain controllers

 

135

Server Message Block (SMB)

  • Domain controllers;
  • root servers that are not domain controllers;
  • servers acting as link targets;
  • client computers acting as link targets

445

445

 
 

Network Capture of a Client Accessing a Domain-based Namespace reveals the following main steps:

  • The client connects to IPC$ on DC-01 to request an Access to a folder hosted on DFS
  • The client requests a root referral for the \\Contoso.com\Public namespace.
  • The domain controller provides a root referral that contains three root servers, \\Root-DFS-03\Public, \\Root-DFS-02\Public, and \Root-DFS-01\Public.
  • The client establishes a connection with the first DFS root server in the referral, Root-DFS-03.
  • The client navigates to the “Software” link folder on the root server.
  • The root DFS server responds with the STATUS_PATH_NOT_COVERED message, which indicates that this is a “link folder” and that the client must request a link referral.
  • The client connects to IPC$ on the root server.
  • The client requests a link referral to the Software link.
  • The root server sends a link referral that contains three link targets for the Software link: \\Noam-FS-1\Apps, \\Noam-FS-3\Apps, and \\Noam-FS-2\Apps.
  • The DFS client sets up a session with the first link target in the referral, \\Noam-FS-1\Apps.

Be the first to comment

Leave a Reply